From a6c1f687661c2d19bd0b4fa59ff4a696ab4a2497 Mon Sep 17 00:00:00 2001 From: songshiyuan 00649746 Date: Mon, 15 Jul 2024 19:51:54 +0800 Subject: [PATCH 1/2] [fix] fix the problem of can not get the info of environments when open rbac. --- server/plugin/auth/buildin/buildin.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/server/plugin/auth/buildin/buildin.go b/server/plugin/auth/buildin/buildin.go index d9570c7c6..e4cdd013b 100644 --- a/server/plugin/auth/buildin/buildin.go +++ b/server/plugin/auth/buildin/buildin.go @@ -47,6 +47,8 @@ var tokenCache = cache.New(cacheDefaultExpireTime, cacheDefaultCleanUpTime) const cacheErrorItemExpTime = 5 * time.Minute const cacheDefaultExpireTime = 5 * time.Minute const cacheDefaultCleanUpTime = 10 * time.Minute +const getEnvirOnMentPath = "environments" +const getVerb = "get" func init() { plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", New: New}) @@ -215,6 +217,11 @@ func checkPerm(roleList []string, req *http.Request) ([]map[string]string, error if hasAdmin { return nil, nil } + pattern := getRequestPattern(req) + verb := rbacsvc.MethodToVerbs[req.Method] + if strings.Contains(pattern, getEnvirOnMentPath) && verb == getVerb { + return nil, nil + } // todo fast check for dev role targetResource := FromRequest(req) if targetResource == nil { From 8c358031e8e88e7c6b8c6ad09217575a44de10b2 Mon Sep 17 00:00:00 2001 From: tornado-ssy <64736788+tornado-ssy@users.noreply.github.com> Date: Thu, 27 Jun 2024 22:37:18 +0800 Subject: [PATCH 2/2] [fix] fix the problem of vertial ultra vires when only open the console auth (#1484) --- etc/conf/app.conf | 1 + server/config/config.go | 3 ++- server/config/server.go | 5 +++-- server/plugin/auth/buildin/buildin.go | 17 ++++++++++++++--- server/service/rbac/rbac.go | 6 +++++- 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/etc/conf/app.conf b/etc/conf/app.conf index ff086dfce..0c61a5466 100644 --- a/etc/conf/app.conf +++ b/etc/conf/app.conf @@ -25,6 +25,7 @@ frontend_endpoint_cidr = 127.0.0.1/32 # httpaddr = fe80::f816:3eff:fe17:c38b%eth0 (link-local scope) httpaddr = 127.0.0.1 httpport = 30100 +rbac_allow_missToken = ${RBAC_ALLOW_MISSTOKEN||false} ################################################################### # sever options (deprecated, pls use app.yaml instead) diff --git a/server/config/config.go b/server/config/config.go index b500022c3..a19fb49e1 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -186,7 +186,8 @@ func loadServerConfig() ServerConfig { SchemaDisable: GetBool("registry.schema.disable", false, WithENV("SCHEMA_DISABLE")), SchemaRootPath: GetString("registry.schema.schemaRootPath", "", WithENV("SCHEMA_ROOT_PATH")), - EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")), + EnableRBAC: GetBool("rbac.enable", false, WithStandby("rbac_enabled")), + AllowMissToken: GetBool("rbac.allowMissToken", false, WithStandby("rbac_allow_missToken")), }, } } diff --git a/server/config/server.go b/server/config/server.go index 9a2a0f288..107307d55 100644 --- a/server/config/server.go +++ b/server/config/server.go @@ -48,7 +48,8 @@ type ServerConfigDetail struct { EnablePProf bool `json:"enablePProf"` EnableCache bool `json:"enableCache"` - EnableRBAC bool `json:"enableRBAC"` + EnableRBAC bool `json:"enableRBAC"` + AllowMissToken bool `json:"AllowMissToken"` LogRotateSize int64 `json:"-"` LogBackupCount int64 `json:"-"` @@ -64,7 +65,7 @@ type ServerConfigDetail struct { SelfRegister bool `json:"selfRegister"` - //CacheTTL is the ttl of cache + // CacheTTL is the ttl of cache CacheTTL time.Duration `json:"cacheTTL"` GlobalVisible string `json:"-"` diff --git a/server/plugin/auth/buildin/buildin.go b/server/plugin/auth/buildin/buildin.go index e4cdd013b..e22e26681 100644 --- a/server/plugin/auth/buildin/buildin.go +++ b/server/plugin/auth/buildin/buildin.go @@ -23,9 +23,11 @@ import ( "errors" "fmt" "net/http" + "reflect" "strings" "time" + "github.com/go-chassis/cari/pkg/errsvc" rbacmodel "github.com/go-chassis/cari/rbac" "github.com/go-chassis/go-chassis/v2/security/authr" "github.com/go-chassis/go-chassis/v2/server/restful" @@ -50,6 +52,8 @@ const cacheDefaultCleanUpTime = 10 * time.Minute const getEnvirOnMentPath = "environments" const getVerb = "get" +const disCoveryType = "*errsvc.Error" + func init() { plugin.RegisterPlugin(plugin.Plugin{Kind: auth.AUTH, Name: "buildin", New: New}) } @@ -101,15 +105,22 @@ func getRequestPattern(req *http.Request) string { } func (ba *TokenAuthenticator) mustAuth(req *http.Request, pattern string) (*rbacmodel.Account, error) { - if !rbacsvc.MustAuth(pattern) { - return nil, nil + account, err := ba.VerifyRequest(req) + if err == nil { + return account, err } - return ba.VerifyRequest(req) + if rbacsvc.MustAuth(pattern) { + return nil, err + } + return nil, nil } func (ba *TokenAuthenticator) VerifyRequest(req *http.Request) (*rbacmodel.Account, error) { claims, err := ba.VerifyToken(req) if err != nil { + if reflect.TypeOf(err).String() == disCoveryType && err.(*errsvc.Error).Code == rbacmodel.ErrNoAuthHeader && rbacsvc.AllowMissToken() { + return nil, nil + } log.Error(fmt.Sprintf("verify request token failed, %s %s", req.Method, req.RequestURI), err) return nil, err } diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go index 5d1808efd..3c3ff5d10 100644 --- a/server/service/rbac/rbac.go +++ b/server/service/rbac/rbac.go @@ -135,7 +135,7 @@ func readPublicKey() { log.Info("read public key success") } func initFirstTime() { - //handle root account + // handle root account pwd := getPassword() if len(pwd) == 0 { log.Warn("skip init root account! Cause by " + InitPassword + " is empty. " + @@ -176,6 +176,10 @@ func Enabled() bool { return config.GetRBAC().EnableRBAC } +func AllowMissToken() bool { + return config.GetRBAC().AllowMissToken +} + // PublicKey get public key to verify a token func PublicKey() string { return archaius.GetString("rbac_public_key", "")